Exploiting Web 2.0 Next Generation Vulnerabilities
|
|
|
- Opal Nichols
- 8 years ago
- Views:
Transcription
1 Exploiting Web 2.0 Next Generation Vulnerabilities OWASP EU09 Poland Shreeraj Shah Chapter Lead Founder & Director Blueinfy Solutions Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation Who Am I? Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers Securityfocus, O erilly, DevX, InformIT etc. Tools wsscanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories -.Net, Java servers etc. Books (Author) Web 2.0 Security Defending Ajax, RIA and SOA Hacking Web Services Web Hacking 2
2 Real Case Study Web 2.0 Portal Buy / Sell Technologies & Components Dojo, Ajax, XML Services, Blog, Widgets Scan with tools/products failed Security issues and hacks SQL injection over XML Ajax driven XSS Several XSS with Blog component Several information leaks through JSON fuzzing CSRF on both XML and JS-Array»HACKED» DEFENSE 3 Web 2.0 Architecture and Security 4
3 Web 2.0 Architecture Documents News Weather Browser Ajax Mails Internet Bank/Trade RSS feeds RIA (Flash) Internet Web 2.0 Start HTML / JS / DOM Blog Database Authentication Application Infrastructure Web Services End point 5 Web 2.0 Components Protocol Layer SOAP XML-RPC REST Server Layer Ajax Flash / RIA HTTP/HTTPS SOA/WOA SaaS HTML/CSS JavaScript Web Services Ajax Widget DOM JSON XML Traditional APIs Client Layer RSS/ATOM Text JS-Objects Custom Structure Layer 6
4 Case study - Pageflakes 7 Case study - Pageflakes Widgets Web Services 8
5 Impact of Web 2.0 Application Infrastructure Changing dimension (AI1) Protocols (AI2) Information structures (AI3) Communication methods (AI4) Information sharing Web 1.0 HTTP & HTTPS HTML transfer Synchronous Postback Refresh and Redirect Single place information (No urge for integration) Web 2.0 SOAP, XML-RPC, REST etc. over HTTP & HTTPS XML, JSON, JS Objects etc. Asynchronous & Cross-domains (proxy) Multiple sources (Urge for integrated information platform) 9 Impact of Web 2.0 Security Threats Changing dimension Web 1.0 Web 2.0 (T1) Entry points (T2) Dependencies Structured Limited Scattered and multiple Multiple technologies Information sources Protocols (T3) Vulnerabilities Server side [Typical injections] Web services [Payloads] Client side [XSS & XSRF] (T4) Exploitation Server side exploitation Both server and client side exploitation 10
6 Changes in approach Methodology Changing dimension Web 1.0 Web 2.0 Footprinting Discovery Enumeration Scanning Automated attacks Reverse engineering Code reviews Typical with "Host" and DNS Simple Structured Structured and simple Easy after discovery On the server-side [Difficult] Focus on server-side only Empowered with search Difficult with hidden calls Several streams Difficult with extensive Ajax Difficult with Ajax and web services Client-side with Ajax & Flash Client-side analysis needed 11 Web 2.0 Security Complex architecture and confusion with technologies Web 2.0 worms and viruses Sammy, Yammaner & Spaceflash Ajax and JavaScripts Client side attacks are on the rise Web Services attacks and exploitation Flash clients are running with risks 12
![the server-side [Difficult] Focus on server-side only Empowered with search Difficult with hidden calls Several streams Difficult with extensive Ajax Difficult with Ajax and web services](/docs-images/44/12059035/images/page_6.jpg "Client-side with Ajax & Flash Client-side analysis needed 11 Web 2.0 Security Complex architecture and confusion with technologies Web 2.")
7 Web 2.0 Security Mashup and un-trusted sources RSS feeds manipulation and its integration Single Sign On and information convergence at one point Widgets and third-party components are bringing security concerns Old attacks with new carriers 13 Vulnerabilities & Exploits Clients side security XML protocols and issues Information sources and processing Information structures processing SOA and Web services issues Web 2.0 server side concerns 14
8 Web 2.0 Methodologies & Challenges 15 Methodology, Scan and Attacks Web 2.0 Battle Field (Resource) Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Code Scanning Black Secure Coding White Defense Web 2.0 Firewall Secure Web
9 Challenges How to identify possible hosts running the application? Cross Domain. Identifying Ajax and RIA calls Dynamic DOM manipulations points Identifying XSS and XSRF vulnerabilities for Web 2.0 Discovering back end Web Services - SOAP, XML-RPC or REST. How to fuzz XML and JSON structures? Web Services assessment and audit Client side code review Mashup and networked application points 17 Web 2.0 Fingerprinting, Discovery & Crawling 18
10 Application Server Fingerprinting Identifying Web and Application servers. Forcing handlers to derive internal plugin or application servers like Tomcat or WebLogic. Looking for Axis or any other Web Services container. Gives overall idea about infrastructure. 19 Fingerprinting Ajax based frameworks and identifying technologies. Running with what? Atlas GWT Etc. Helps in identifying weakness of the application layer. Good idea on overall application usage. Fingerprinting RIA components running with Flash. Atlas/Ajax.NET script discovery and hidden entry points identification. Scanning for other frameworks. 20
11 Discovery Ajax running with various different structures. Developers are adding various different calls and methods for it. JavaScript can talk with back end sources. Mashups application talking with various sources. It has significant security impact. JSON, Array, JS-Object etc. Identifying and Discovery of structures. 21 Discovery JSON XML JS-Script JS-Array JS-Object 22
12 Crawling challenges Dynamic page creation through JavaScript using Ajax. DOM events are managing the application layer. DOM is having clear context. Protocol driven crawling is not possible without loading page in the browser. 23 Ajax driven site 24
13 Crawling with Ruby/Watir 25 Web 2.0 Vulnerabilities & Exploits 26
14 Ajax code review Ajax scripts are on client side and important to do source sifting on it Looking for business logic and vulnerabilities on Ajax components JavaScript analysis and review Looking for malicious calls and pattern of malware if any Very sensitive in mashup context In browser debugging would be very handy 27 Source Code Disclosure Hidden Ajax calls fetching files Discovering those calls Exploiting with../ and getting files Common with content managements systems RIA calls can be discovered as well 28
15 SQL 2.0 SQL injection over JSON streams Flash based points XML data access layer exposure Errors are not standard in and messages are embedded in the stream Application features are Asynchronous Async. SQL injection is interesting vulnerability with Web 2.0 applications RSS feed generation happens in Async. way and possible to exploit 29 XPATH injection XPATH parsing standard error XPATH is method available for XML parsing MS SQL server provides interface and one can get table content in XML format. Once this is fetched one can run XPATH queries and obtain results. What if username/password parsing done on using XPATH XPATH injection 30
16 Cross Site Request Forgery (CSRF) Generic CSRF is with GET / POST Forcefully sending request to the target application with cookie replay Leveraging tags like IMG SCRIPT IFRAME Not abide by SOP or Cross Domain is possible 31 Cross Site Request Forgery (CSRF) Is it possible to do CSRF to XML stream How? It will be POST hitting the XML processing resources like Web Services JSON CSRF is also possible Interesting check to make against application and Web 2.0 resources 32
17 One Way CSRF Scenario 33 One Way CSRF Scenario 34
18 One Way CSRF Scenario 35 One Way CSRF Scenario 36
19 One-Way CSRF 37 One-Way CSRF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action=" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodcall><methodname>stocks.buy</methodname>< params><param><value><string>msft</string></value></param><pa ram><value><double>26</double></value></param></params></met hodcall>'> </FORM> <script>document.buy.submit();</script> </body> </html> 38
20 Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well. 39 Cross Site Scripting (XSS) Traditional Persistent Non-persistent DOM driven XSS Relatively new Eval + DOM = Combinational XSS with Web 2.0 applications 40
21 Cross Site Scripting (XSS) What is different? Ajax calls get the stream. Inject into current DOM using eval() or any other means. May rewrite content using document.write or innerhtml calls. Source of stream can be un-trusted. Cross Domain calls are very common. 41 DOM Dynamic HTML Browser loads Document Object Model DOM can be manipulated by scripts in the browser Components History Location Forms etc. 42
22 XHR - Ajax function getajax() { var http; if(window.xmlhttprequest){ http = new XMLHttpRequest(); }else if (window.activexobject){ http=new ActiveXObject("Msxml2.XMLHTTP"); if (! http){ http=new ActiveXObject("Microsoft.XMLHTTP"); } } http.open("get", "./ajax.txt", true); http.onreadystatechange = function() { if (http.readystate == 4) { response = http.responsetext; document.getelementbyid('main').innerhtml = response; } } http.send(null); } 43 DOM based XSS if (http.readystate == 4) { var response = http.responsetext; var p = eval("(" + response + ")"); document.open(); document.write(p.firstname+"<br>"); document.write(p.lastname+"<br>"); document.write(p.phonenumbers[0]); document.close(); 44
23 DOM based XSS document.write( ) document.writeln( ) document.body.innerhtml= document.forms[0].action= document.attachevent( ) document.create ( ) document.execcommand( ) document.body. window.attachevent( ) document.location= document.location.hostname= document.location.replace( ) document.location.assign( ) document.url= window.navigate( ) 45 DOM based XSS document.open( ) window.open( ) window.location.href= (and assigning to location s href, host and hostname) eval( ) window.execscript( ) window.setinterval( ) window.settimeout( ) 46
24 Scenario Blog JSON feed Vulnerable stream coming through proxy 8008 attacker Hijack Posting to the site [Malicious code] Web Server proxy Web app Web app DB Web Client JSON eval() XSS 47 XSS with JSON stream 48
25 XSS with RIA Applications running with Flash components geturl injection is possible SWFIntruder Flasm/Flare ( 49 RSS feeds - Exploits RSS feeds coming into application from various un-trusted sources. Feed readers are part of 2.0 Applications. Vulnerable to XSS. Malicious code can be executed on the browser. Several vulnerabilities reported. 50
26 RSS feeds 51 Mashups Hacks API exposure for Mashup supplier application. Cross Domain access by callback may cause a security breach. Confidential information sharing with Mashup application handling needs to be checked storing password and sending it across (SSL) Mashup application can be man in the middle so can t trust or must be trusted one. 52
27 Widgets/Gadgets - Hacks DOM sharing model can cause many security issues. One widget can change information on another widget possible. CSRF injection through widget code. Event hijacking is possible Common DOM IFrame for widget is a MUST 53 SOA Hacks Discovering Web Services Profiling and Enumerating through WSDL Attacking Web Services SOAP manipulation is the key 54
28 Conclusion Questions 55